No sooner had various agencies commented on the reduction of the size of the Storm network than we started seeing signs of another wave of malware in the offing. We are currently tracking some fast-flux domains related to Trojan.Peacomm (a.k.a. Storm). These domains were registered just a few days ago. Simply visiting the sites presents the user with a blank page; however, modifying the URLs to access a specific file runs a script which attempts to exploit several different vulnerabilities. Some of the vulnerabilities targeted are Bugtraq IDs 20047, 28157, 23224, 27533 and 27626. If the user’s computer is vulnerable to any of these issues, an executable is downloaded and run on the user’s computer. This file is detected by Symantec products as Trojan.Peacomm.D. While antivirus signatures block the execution of the file, IPS signatures within our products also detect and block the exploitation attempts as ‘MSIE ADODB.Stream Object File Installation Weakness’ and ‘MSIE DHTML CreateControlRange Code Exec’.
What's interesting about this is that we have yet to come across any spam that may result in people visiting these domains. This is very unusual. It is also interesting to note the move from simply using social engineering techniques to spread malware, to actually exploiting vulnerabilities. In the past, the Storm worm authors would directly link to malware on Web sites or within spam emails. The malware wouldn't check for any particular vulnerability before planting its seed.
The domains being tracked are not currently being linked to. This could mean that either the sites are still under development, or that the authors are planning to use a different technique to spread their creations. If the reason is the former, then a spam wave should be expected in the coming days and this upcoming Mother’s Day could be used as a lure. What would the technique be in the case of the latter? For now, we can only speculate. The month of April saw four incidents involving iframe tags being injected into Web sites, causing anyone visiting an affected site to download malware without his or her knowledge. Is it far-fetched to imagine the Storm authors using the same iframe injection techniques? Are the people behind these attacks working together? Have they colluded?
The jury is out on these questions. Only time will allow the method employed in this wave of attacks to be confirmed. This is definitely an interesting development in the story of the Storm worm. We urge users to keep their antivirus product signatures up to date. Although it is important to ensure that operating system patches are up-to-date, most of the vulnerabilities being targeted by this malware are related to third-party products. Make sure you update installed applications to the latest version available from the vendor.